[zAy0LfpBZLC8mAC]

Well, it is unlikely in practice because home access routers usually come with a stateful firewall. The important point is that that doesn't change when you remove the NAT. And that is important because people come to all kinds of nonsensical ideas about how IPv6 is dangerous or what you should do to make it less dangerous because you typically don't have NAT with IPv6.

Like, that you should use ULA and NAT with IPv6 so you don't lose the great security benefits of NAT. That is a completely logical conclusion if you believe that NAT provides security benefits. But it's just wrong.

And, yes, TR-069 is also a potential attack vector that you probably also should prevent in any halfway serious business context. Giving your ISP('s infrastructure) access to your internal network probably is not a good idea, no matter what the mechanism is.